The Channel logo


By | John Leyden 19th July 2016 17:39

DDoS trends: Bigger, badder but not longer

10Gbps is the new norm, warns Arbor Networks

DDoS attacks once again escalated in both size and frequency during the first six months of 2016.

Netscout's DDoS mitigation arm Arbor Networks warns that attacks greater than 100Gbps are far from uncommon. The security firm has monitored 274 attacks over 100Gbps in the first half of 2016, versus 223 in all of 2015.

The biggest single attack maxed out at an eye-watering 579Gbps, a 73 per cent increase in peak attack size over 2015.

The US, France and the UK are the top targets for attacks over 10Gbps. The average attack size in the first half of 2016 was 986Mbps, a 30 per cent increase over 2015, and enough to knock most organizations completely offline.

"High-bandwidth attacks can only be mitigated in the cloud, away from the intended target," said Darren Anstee, Arbor Networks' chief security technologist.

"However, despite massive growth in attack size at the top end, 80 per cent of all attacks are still less than 1Gbps and 90 per cent last less than one hour. On-premise protection provides the rapid reaction needed and is key against 'low and slow' application-layer attacks, as well as state exhaustion attacks targeting infrastructure such as firewalls and IPS."

Contrary to what many techies might believe, large DDoS attacks do not require the use of reflection amplification techniques. LizardStresser, an IoT botnet, was used to launch attacks as large as 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, ISPs and government institutions.

According to ASERT, the attack packets do not appear to be from spoofed source addresses – and no UDP-based amplification protocols such as NTP or SNMP were used.

Reflection amplification is a technique that allows hackers to both magnify the amount of traffic they can generate and obfuscate the original sources of attack traffic. Outside of the LizardStresser example, it's by far the most common means of running a high-volume DDoS attack. Junk traffic is bounced off insecure NTP or DNS servers toward the intended victim.

"DDoS remains a commonly used attack type due to the ready availability of free tools and inexpensive online services that allow anyone with a grievance and an internet connection to launch an attack," Arbor warns. "This has led to an increase in the frequency, size and complexity of attacks in recent years."

Arbor's data is gathered through Active Threat Level Analysis System (ATLAS), a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to collectively benefit from a comprehensive, aggregated view of global traffic and threats. ®

comment icon Read 3 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe